All Your Base Are Belong To Us

February 8, 2013

Once upon a time, it was fairly challenging to determine which services were running in an individual svchost.exe process. Today, with Process Explorer, there’s nothing easier – just hover over the svchost.exe process and you get a list of services, or double-click an svchost.exe process and go to the Services tab:

A similar problem can arise with user-mode drivers (UMDF). User-mode drivers are COM DLLs loaded into WUDFHost.exe processes, and some WUDFHost.exe processes may contain more than one user-mode driver. Process Explorer does not help in identifying which user-mode drivers are loaded into a WUDFHost.exe process, and although you can look at the list of DLLs and try to identify the ones that represent drivers, a more reliable way is desired. One option is to look at the list of threads inside the process, and identify command threads for UMDF drivers, such as this one:

A more reliable approach that will give you additional information on the driver and the device stack is the following:

Run WinDbg as an administrator and attach (File > Attach to Process) to the WUDFHost.exe process in which you are interested.

Type .load wudfext

Type !umdevstacks

The resulting output will be similar to the following, and allow you to identify which device stacks (and hence user-mode drivers) are hosted in that process:

This gives you enough information to identify everything that’s going on inside that process. By the way, if you’re into UMDF development, you should certainly check out other commands from the wudfext extension, that will give you insight into specific I/O requests, queues, and other UMDF objects.

I am posting short links and updates on Twitter as well as on this blog. You can follow me: @goldshtn